From owner-freebsd-bugs Tue Apr 30 11:20:18 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3606237B41B for ; Tue, 30 Apr 2002 11:20:02 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3UIK2S91976; Tue, 30 Apr 2002 11:20:02 -0700 (PDT) (envelope-from gnats) Received: from mail.wrs.com (unknown-1-11.windriver.com [147.11.1.11]) by hub.freebsd.org (Postfix) with ESMTP id 9B44337B404 for ; Tue, 30 Apr 2002 11:14:17 -0700 (PDT) Received: from heavygear (heavygear [147.11.38.42]) by mail.wrs.com (8.9.3/8.9.1) with SMTP id LAA00034 for ; Tue, 30 Apr 2002 11:13:23 -0700 (PDT) Message-Id: Date: Tue, 30 Apr 2002 11:13:40 -0700 From: "Qing Li" To: Subject: kern/37606: genmask, rt_fixchange, and kernel panic Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 37606 >Category: kern >Synopsis: genmask, rt_fixchange causes kernel panic >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 30 11:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Qing Li >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD a.b.com 4.5-STABLE FreeBSD 4.5-STABLE #0: Tue Mar 5 17:05:43 GMT 2002 root@a.b.com:/usr/obj/usr/src/sys/GENERIC i386 CPU: Pentium II/Pentium II Xeon/Celeron (265.37-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x634 Stepping = 4 Features=0x80f9ff real memory = 167772160 (163840K bytes) avail memory = 158347264 (154636K bytes) >Description: Creating a route entry with -cloning flag and the -genmask option causes a kernel panic on 4.5-STABLE. The cloned entry created is a network route. The problem appears to be in route.c, in "rtrequest1" function, where if (!(rt->rt_flags & RTF_HOST) && (rt_mask(rt) !=0) rnh->rnh_walktree_from(..,rt_fixchange,.) This newly created entry is immediately removed inside rt_fixchange. This invalid "rt" pointer is returned back to the caller. This problem did not show up in the previous version of the code apparently due to the missing flag check on RTF_CLONING in the code above, if (cmd == RTM_RESOLVE) if ((*ret_nrt)->rt_flags & RTF_PRCLONING) (old version) new version if ((*ret_nrt)->rt_flags & (RTF_CLONING & RTF_PRCLONING) The rt_parent is not assigned so rt_fixchange returned immediately in the previous version. I am also not sure why rt_fixchange is needed if cmd is RTM_RESOLVE. >How-To-Repeat: route add -net 10.2.10.5 -netmask 255.255.0.0 -cloning -genmask 255.255.255.0 64.81.55.1 ping 10.2.10.6 >Fix: *** route.c.org Tue Apr 30 10:19:47 2002 --- route.c Tue Apr 30 10:20:49 2002 *************** *** 846,851 **** --- 846,854 ---- printf("rt_fixchange: rt %p, rt0 %p\n", rt, rt0); #endif + if (rt == rt0) + return 0; + if (!rt->rt_parent || (rt->rt_flags & RTF_PINNED)) { #ifdef DEBUG if(rtfcdebug) printf("no parent or pinned\n"); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message